Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b65126fe236bb1e…

MALICIOUS

PDF

55.0 KB Created: 2011-01-14 00:19:20 +02:00 Authoring application: http://google.wiki.usfca.edu/ (via mPDF 5.0)
MD5: d7b691001220df2bfe10a26c338c9b54 SHA-1: 7649070c2cf54e2a5d57dd935d12ce6e3deebbe2 SHA-256: 0b65126fe236bb1e7300fde7467d164ec97e928b39fea3585f893df28c1046c6
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains obfuscated JavaScript that utilizes the getURL function to redirect the user to 'http://searchglobalsite.com/in.cgi?17'. This URL is flagged as unknown and is the primary indicator of malicious intent. The ML classifier also strongly flagged this PDF as malicious. The JavaScript's purpose is to download and execute a second-stage payload from the specified URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9041

Heuristics 5

  • Obfuscated document JavaScript getURL redirector high PDF_JS_OBFUSCATED_GETURL_REDIRECTOR
    PDF document-level JavaScript automatically calls getURL() on an HTTP(S) destination hidden behind percent escapes. The decoded path is a redirector-style endpoint such as /in.cgi or /go.php. This is malicious routing behavior rather than a PDF parser CVE.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://searchglobalsite.com/in.cgi?17
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0036_000.js
a2620a0be21a26956e8296a3c8163c8c260cb6a920586f15a19c6e170ac30940		 pdf-javascript-stream PDF /JS object 36 at offset 0xD3D9 136 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
stream_003_off00001972.bin
dcd1ba64d747e0bf0b9b8ecc270a7bea07ca4cd5917a768cd217f1d51287033b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1972 17772 bytes
font_01_sfnt_off0000478d.bin
a8ed3909966b10c026f46212f55dce68c94667ce1ac039797d3ebfa1d644dacf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x478D 17892 bytes
font_02_sfnt_off000075cd.bin
4ee4e439b16220e78b319060a3d86ba95cd4b8614522dd4fa1d4df274793c516		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75CD 18720 bytes
font_03_sfnt_off0000a85a.bin
e3eeacc5b1f780160b253f248c40fb29e5cb6416f62dd9413712ea70c37f26c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA85A 18756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.